[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Some suggestions for draft-ietf-v6ops-cpe-simple-security-03
On 2008-08-26 10:07, Dan Wing wrote:
>>>> How does it know that a Protocol 41 packet is unsolicited?
>>> The same way it knows a non-protocol 41 packet is solicited: the
>>> host sends a packet first -- the host being protected by the CPE
>>> doing Simple Security.
>> How does that work if Host A (behind the CPE) has informed Host X
>> (outside) of the tunneled address of Host B (also behind the CPE)?
>> In other words A has solicited X to send a packet to B.
>
> The network diagram would look like this, I believe:
>
> +-----+
> Host A ---+ |
> + CPE +--------- Internet ------ Host X
> Host B ---+ |
> +-----+
>
>
> If the CPE is providing security -- as this draft is titled -- the
> traffic from X to B would be blocked.
>
> To permit such traffic, B would need a way to tell the CPE to allow
> such traffic from X (or to allow arbitrary traffic from any host
> on the Internet). This is described in Section 3.4 of
> draft-ietf-v6ops-cpe-simple-security-03 (where James mentions
> Apple's ALD") but, to my knowledge, has not received much
> attention and I do not know if it has working group consensus.
The thing is that it can't meet any reasonable definition of
'simple'...
But blocking tunnels by default, although it's simple, also
blocks innovation. That worries me.
Brian